Spring Security 认证授权
概念
他是spring提供的安全控制框架。
Spring Security提供了认证授权的拦截功能,不需要自定义拦截器。
spring security内部提供了登录页面,不需要额外开发
Spring Security 实现认证授权基于Spring、SpringMvc框架
- 创建maven工程,pom.xml文件导入webmvc和servlet3.0,额外加入spring-security依赖
<!--打成war可运行在tomcat中-->
<packaging>war</packaging>
<!-- 设置jdk1.8编译 -->
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<!-- webmvc依赖 servlet依赖 -->
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
<!-- spring-security依赖 -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.1.4.RELEASE</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<hostName>localhost</hostName> <!-- Default: localhost -->
<port>8080</port> <!-- 启动端口 Default:8080 -->
<path>/</path> <!-- 访问应用路径 Default: /${project.artifactId}-->
<uriEncoding>UTF-8</uriEncoding> <!-- uri编码 Default: ISO-8859-1 -->
</configuration>
</plugin>
</plugins>
</build>
//spring容器配置 相当于applicationContext.xml
@Configuration
//组件扫描springmvc包 排除controller包
@ComponentScan(basePackages = "com.gyf.security.springmvc"
,excludeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)})
public class ApplicationConfig {
//将配置文件中的配置拿到类中来配置
//配置除了Controller的其他bean,如数据库连接池,事务管理器,业务bean等
}
//servletContext配置 /相当于springvc.xml文件
//该类实现WebMvcConfigurer接口进行配置
//组件扫描springmvc包,包含Controller包
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.gyf.security.springmvc"
,includeFilters = @ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class))
public class WebConfig implements WebMvcConfigurer {
//视图解析器
@Bean
public InternalResourceViewResolver viewResolver(){
InternalResourceViewResolver internalResourceViewResolver = new InternalResourceViewResolver();
internalResourceViewResolver.setPrefix("/WEB-INF/view/");
internalResourceViewResolver.setSuffix(".jsp");
return internalResourceViewResolver;
}
//添加视图控制器
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("redirect:/login");//跳转SpringSecurity自带的登陆页面
}
- 配置SpringSecurity配置类WebSecurityConfig
/**
* 配置SpringSecurity配置类
* 继承WebSecurityConfigurerAdapter类
* 定义UserDetailsService和PasswordEncoder两个bean
* configure方法中配置安全拦截机制
*/
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//定义用户信息服务(查询用户信息)
@Bean
public UserDetailsService userDetailsService(){
//一般该方法中是到数据库中查询用户数据,这里就先到内存中查询
//在内存-用户信息管理器
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("zhangsan").password("123456").authorities("p1").build());
manager.createUser(User.withUsername("lisi").password("123").authorities("p2").build());
return manager;
}
//密码编码器 定义用户输入的密码和数据库的密码进行比对的方式
@Bean
public PasswordEncoder passwordEncoder(){
return NoOpPasswordEncoder.getInstance();//不使用安全编码机制 比较字符串
}
//安全拦截机制
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests() //http认证请求
.antMatchers("/r/r1").hasAuthority("p1") //表示访问r/r1必须有p1权限
.antMatchers("/r/r2").hasAuthority("p2") //表示访问r/r2必须有p2权限
.antMatchers("/r/**").authenticated() //表示所有/r/**请求都必须认证通过
.anyRequest().permitAll() //表示除了/r/**请求,其他请求可以访问
.and()
.formLogin() //允许表单登录
.successForwardUrl("/login-success"); //登录成功跳转自定义登陆成功页面
}
}
//手动加载spring配置类
//该类继承AbstractAnnotationConfigDispatcherServletInitializer
public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
//加载spring容器 加载ApplicationContext.xml
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[]{ApplicationConfig.class, WebSecurityConfig.class};
}
//servletContext 加载springmvc.xml
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{WebConfig.class};
}
//url-mapping
@Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
}
/**
* spring security 初始化
*/
public class SpringSecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
//调用父类去加载WebSecurityConfig初始化
//不过已经在SpringApplicationInitializer中配置了,这里可以什么都不做
public SpringSecurityApplicationInitializer() {
//super(WebSecurityConfig.class);
}
}
//@Controller+@ResponseBody
@RestController
public class LoginController {
@RequestMapping(value = "/login-success",produces = {"text/plain;charset=utf-8"})
public String loginSuccess(){
return "登陆成功";
}
@GetMapping(value = "/r/r1",produces = {"text/plain;charset=utf-8"})
public String r1(){
return "访问资源服务1";
}
@GetMapping(value = "/r/r2",produces = {"text/plain;charset=utf-8"})
public String r2(){
return "访问资源服务2";
}
}
Spring Security实现用户认证和权限控制基于SpringBoot开发
SpringBoot概念
SpringBoot是一套Spring的快速开发框架,使用SpringBoot进行开发可以避免一些繁琐的工程搭建和配置,同时也集成了大量的常用框架,使用效率大大挺高。
- 搭建springboot工程导入依赖到pom.xml文件中
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
server:
port: 8080
servlet:
context-path: /springbootsecurity #访问路径 localhost:8080/springbootsecurity/
spring:
application:
name: springbootsecurity
#springmvc视图解析器
mvc:
view:
prefix: /WEB-INF/views/
suffix: .jsp
//servletContext配置 /相当于springvc.xml文件
//该类实现WebMvcConfigurer接口进行配置
@Configuration
public class WebConfig implements WebMvcConfigurer {
//添加视图控制器
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("redirect:/login");//跳转SpringSecurity自带的登陆页面
}
}
/**
* 配置SpringSecurity配置类
* 继承WebSecurityConfigurerAdapter类
* 定义UserDetailsService和PasswordEncoder两个bean
*/
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//定义用户信息服务(查询用户信息)
@Bean
public UserDetailsService userDetailsService(){
//一般该方法中是到数据库中查询用户数据,这里就先到内存中查询
//在内存-用户信息管理器
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("zhangsan").password("123456").authorities("p1").build());
manager.createUser(User.withUsername("lisi").password("123").authorities("p2").build());
return manager;
}
//密码编码器 定义用户输入的密码和数据库的密码进行比对的方式
@Bean
public PasswordEncoder passwordEncoder(){
return NoOpPasswordEncoder.getInstance();//不使用安全编码机制 比较字符串
}
//安全拦截机制
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests() //http认证请求
.antMatchers("/r/r1").hasAuthority("p1") //表示访问r/r1必须有p1权限
.antMatchers("/r/r2").hasAuthority("p2") //表示访问r/r2必须有p2权限
.antMatchers("/r/**").authenticated() //表示所有/r/**请求都必须认证通过
.anyRequest().permitAll() //表示除了/r/**请求,其他请求可以访问
.and()
.formLogin() //允许表单登录
.successForwardUrl("/login-success"); //登录成功跳转自定义登陆成功页面
}
}
//@Controller+@ResponseBody
@RestController
public class LoginController {
@RequestMapping(value = "/login-success",produces = {"text/plain;charset=utf-8"})
public String loginSuccess(){
return "登陆成功";
}
@GetMapping(value = "/r/r1",produces = {"text/plain;charset=utf-8"})
public String r1(){
return "访问资源服务1";
}
@GetMapping(value = "/r/r2",produces = {"text/plain;charset=utf-8"})
public String r2(){
return "访问资源服务2";
}
}
